Overview

overview

1

Static

static

1

toCheck.xlsx

windows10-2004-x64

1

Resubmissions

14/06/2023, 17:21 UTC

230614-vw6wlabh9t 1

14/06/2023, 15:25 UTC

230614-st3eaaaf63 1

14/06/2023, 15:11 UTC

230614-skydzaaf7t 1

14/06/2023, 15:08 UTC

230614-sjbhtaae36 1

Analysis

  • max time kernel
    274s
  • max time network
    265s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2023, 15:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toCheck.xlsx

  • Size

    5.2MB

  • MD5

    d58c7369c34cd53ff2fb0f76fe059756

  • SHA1

    e9d2f46c9bf3d82ec9b744fa5aebc9b58f71bb55

  • SHA256

    79c1cc9bac58aa158b79e021830f158e53e1867aa3d2192aa0ffd71d008f10f4

  • SHA512

    a67e26b425eff318931bf80e0e4f47586dc2ea7a320a8246f88d108cfe056587d2f3e007db9990df07758143ef58a3688f0a56fc41200a04fcd5a55cec88050d

  • SSDEEP

    98304:Lp5XZT7sP3WxQSHS72DPUG08GzYr4P9yl8TlYabZv98YkvTGDq9A3Cksmw:V5JT7ZQSHSSwb8X8P9m83Nvavu/Pw

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\toCheck.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:2932

Network

  • flag-us
    DNS
    assets.msn.com
    Remote address:
    8.8.8.8:53
    Request
    assets.msn.com
    IN A
    Response
    assets.msn.com
    IN CNAME
    assets.msn.com.edgekey.net
    assets.msn.com.edgekey.net
    IN CNAME
    e28578.d.akamaiedge.net
    e28578.d.akamaiedge.net
    IN A
    95.101.74.139
    e28578.d.akamaiedge.net
    IN A
    95.101.74.151
  • flag-nl
    GET
    https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=1251b474-4ebc-4d7d-bc9b-972d18a22222&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
    Remote address:
    95.101.74.139:443
    Request
    GET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=1251b474-4ebc-4d7d-bc9b-972d18a22222&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
    host: assets.msn.com
    x-search-account: None
    accept-encoding: gzip, deflate
    x-device-machineid: {46CAA714-52CC-4AB9-A019-1AE3E3C36027}
    x-userageclass: Unknown
    x-bm-market: US
    x-bm-dateformat: M/d/yyyy
    x-device-ossku: 48
    x-bm-dtz: 0
    x-deviceid: 0100B2E609000CC3
    x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:129135BB
    sitename: www.msn.com
    x-bm-theme: 000000;0078d7
    muid: D4EAFA4AA86940188882725C6E2EF215
    x-agent-deviceid: 0100B2E609000CC3
    x-bm-onlinesearchdisabled: true
    x-bm-cbt: 1686755512
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    x-device-isoptin: false
    accept-language: en-US, en
    x-device-touch: false
    x-device-clientsession: E29703E0BD664E039748B1EE44C4A92B
    cookie: MUID=D4EAFA4AA86940188882725C6E2EF215
    Response
    HTTP/2.0 200
    content-type: application/json; charset=utf-8
    server: Kestrel
    access-control-allow-credentials: true
    access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
    access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
    access-control-allow-origin: *.msn.com
    access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
    content-encoding: gzip
    ddd-authenticatedwithjwtflow: False
    ddd-usertype: AnonymousMuid
    ddd-tmpl: lowT:0;TeaserTemp_cold:1;winbadge:1;tbn:0;partialResponse:1;coldStart:1;coldStartUpsell:1;daucoldcap:1;lowC:0
    ddd-feednewsitemcount: 0
    x-wpo-activityid: 59CB2E95-88D8-4387-B51D-22901797352B|2023-06-14T15:11:55.4870616Z|fabric:/wpo|FRC|WPO_106
    ddd-activityid: 59cb2e95-88d8-4387-b51d-22901797352b
    ddd-strategyexecutionlatency: 00:00:00.3963332
    ddd-debugid: 59cb2e95-88d8-4387-b51d-22901797352b|2023-06-14T15:11:55.4919123Z|fabric:/winfeed|FRC|WinFeed_98
    onewebservicelatency: 398
    x-msedge-responseinfo: 398
    x-ceto-ref: 6489d8bb64bb4bda9d194747541cd65b|2023-06-14T15:11:55.076Z
    expires: Wed, 14 Jun 2023 15:11:55 GMT
    date: Wed, 14 Jun 2023 15:11:55 GMT
    content-length: 1867
    akamai-request-bc: [a=92.123.71.139,b=190134717,c=g,n=NL__SCHIPHOL,o=20940],[a=20.74.25.147,c=o]
    server-timing: clientrtt; dur=3, clienttt; dur=, origin; dur=414 , cdntime; dur=-414
    akamai-cache-status: Miss from child
    akamai-server-ip: 92.123.71.139
    akamai-request-id: b5539bd
    x-as-suppresssetcookie: 1
    cache-control: private, max-age=0
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1}
    timing-allow-origin: *
    vary: Origin
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    139.74.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    139.74.101.95.in-addr.arpa
    IN PTR
    Response
    139.74.101.95.in-addr.arpa
    IN PTR
    a95-101-74-139deploystaticakamaitechnologiescom
  • flag-us
    DNS
    89.44.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    89.44.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    44.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    44.8.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.201.50.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.201.50.20.in-addr.arpa
    IN PTR
    Response
  • 95.101.74.139:443
    https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=1251b474-4ebc-4d7d-bc9b-972d18a22222&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask
    tls, http2
    2.6kB
     10.9kB
     21
    19

    HTTP Request

    GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=1251b474-4ebc-4d7d-bc9b-972d18a22222&ocid=windows-windowsShell-feeds&user=m-d4eafa4aa86940188882725c6e2ef215&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask

    HTTP Response

    200
  • 20.42.65.90:443
    322 B
     7
  • 13.107.4.50:80
    322 B
     7
  • 13.107.4.50:80
    322 B
     7
  • 178.79.208.1:80
    322 B
     7
  • 8.8.8.8:53
    assets.msn.com
    dns
    60 B
     166 B
     1
    1

    DNS Request

    assets.msn.com

    DNS Response

    95.101.74.139
    95.101.74.151

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    139.74.101.95.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    139.74.101.95.in-addr.arpa

  • 8.8.8.8:53
    89.44.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    89.44.109.52.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    44.8.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    44.8.109.52.in-addr.arpa

  • 8.8.8.8:53
    14.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    200.201.50.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    200.201.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2932-133-0x00007FF8B3D50000-0x00007FF8B3D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2932-134-0x00007FF8B3D50000-0x00007FF8B3D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2932-135-0x00007FF8B3D50000-0x00007FF8B3D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2932-136-0x00007FF8B3D50000-0x00007FF8B3D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2932-137-0x00007FF8B3D50000-0x00007FF8B3D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2932-138-0x00007FF8B1740000-0x00007FF8B1750000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2932-139-0x00007FF8B1740000-0x00007FF8B1750000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.